1565241 – APB parameters (including passwords) all displayed in plaintext in APB pod logs/definition

Bug 1565241 - APB parameters (including passwords) all displayed in plaintext in APB pod logs/definition

Summary: APB parameters (including passwords) all displayed in plaintext in APB pod lo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	---
Target Release:	3.10.0
Assignee:	Michael Hrivnak
QA Contact:	Zihan Tang
Docs Contact:
URL:
Whiteboard:
Depends On:	1572449
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-09 17:36 UTC by Dylan Murray
Modified:	2018-07-30 19:13 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2018-07-30 19:12:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ansibleplaybookbundle apb-base pull 25	0	None	None	None	2018-04-26 19:20:36 UTC
Red Hat Product Errata	RHBA-2018:1816	0	None	None	None	2018-07-30 19:13:02 UTC

Description Dylan Murray 2018-04-09 17:36:30 UTC

Description of problem:
When declaring APB parameters such as a password, the user expects that noone else will be able to see this password. What happens though is that the broker passes the list of parameters as arguments to the APB container image that is run in the transient namespace.

When declaring passwords, these parameters still show up in the pod definition and in the pod logs in plaintext.

Version-Release number of selected component (if applicable):
3.9.0

How reproducible:
100%

Steps to Reproduce:
1. Create an APB with a password as an input parameter
2. Deploy APB and read the logs of the APB in the transient namespace

Actual results:
Observe inputted password in plaintext.

Expected results:
Password is either hidden or obfuscated.

Additional info:

Comment 1 Veer Muchandi 2018-04-09 17:43:59 UTC

This is considered security risk by enterprises. Even a cluster admin should not see these passwords.

Comment 2 Michael Hrivnak 2018-04-17 15:31:15 UTC

https://github.com/ansibleplaybookbundle/apb-base/pull/25

Comment 3 Zihan Tang 2018-04-26 05:30:44 UTC

Using image postgresql-apb v3.10.0-0.16.0.1 , the password in sandbox namespace is still in plain text .
[root@host-172-16-120-54 ~]# oc get pod 
NAME                                       READY     STATUS      RESTARTS   AGE
apb-c138ac58-6f43-4e7e-861a-930e1453f858   0/1       Completed   0          2h
[root@host-172-16-120-54 ~]# oc logs -f apb-c138ac58-6f43-4e7e-861a-930e1453f858 
+ [[ provision --extra-vars {"_apb_last_requesting_user":"zitang","_apb_plan_id":"dev","_apb_service_class_id":"d5915e05b253df421efe6e41fb6a66ba","_apb_service_instance_id":"2e49e789-4900-11e8-9198-0a580a800003","cluster":"openshift","namespace":"post-dev","postgresql_database":"admin","postgresql_password":"dddd","postgresql_user":"admin","postgresql_version":"9.6"} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]
+ ACTION=provision
+ shift
+ playbooks=/opt/apb/actions
+ CREDS=/var/tmp/bind-creds
+ TEST_RESULT=/var/tmp/test-result
+ whoami
+ '[' -w /etc/passwd ']'
++ id -u
+ echo 'apb:x:1000180000:0:apb user:/opt/apb:/sbin/nologin'
+ set +x
+ [[ -e /opt/apb/actions/provision.yaml ]]
+ ANSIBLE_ROLES_PATH=/etc/ansible/roles:/opt/ansible/roles
+ ansible-playbook /opt/apb/actions/provision.yaml --extra-vars '{"_apb_last_requesting_user":"zitang","_apb_plan_id":"dev","_apb_service_class_id":"d5915e05b253df421efe6e41fb6a66ba","_apb_service_instance_id":"2e49e789-4900-11e8-9198-0a580a800003","cluster":"openshift","namespace":"post-dev","postgresql_database":"admin","postgresql_password":"dddd","postgresql_user":"admin","postgresql_version":"9.6"}'

wait for the image ready and change it to modified .

Comment 4 David Zager 2018-04-26 12:42:08 UTC

https://errata.devel.redhat.com/advisory/33505 Moved to ON_QE with the following builds.

openshift-enterprise-apb-base-docker-v3.10.0-0.29.0.1
openshift-enterprise-apb-tools-v3.10.0-0.16.0.3
openshift-enterprise-asb-docker-v3.10.0-0.29.0.1
openshift-enterprise-mariadb-apb-v3.10.0-0.29.0.1
openshift-enterprise-mediawiki-apb-v3.10.0-0.29.0.1
openshift-enterprise-mysql-apb-v3.10.0-0.29.0.1
openshift-enterprise-postgresql-apb-v3.10.0-0.29.0.1

You need to be using postgresql-apb v3.10.0-0.29.0.1 and this image is available, if no where else, in brew at brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/postgresql-apb:v3.10.0-0.29.0.1

Comment 5 Zihan Tang 2018-04-27 05:37:24 UTC

stage registry is broken, set it depend on bug 1572449

Comment 6 Zihan Tang 2018-05-03 10:09:34 UTC

verified.
postgresql-apb:v3.10.0-0.32.0.0

the password is hidden in sandbox.
[root@host-172-16-120-48 ~]# oc logs -f apb-7e69d9ff-7ae3-4e5b-8a94-2af562e9cb74

PLAY [Deploy rhscl-postgresql-apb to "openshift"] ******************************

TASK [ansible.kubernetes-modules : Install latest openshift client] ************
skipping: [localhost]

TASK [ansibleplaybookbundle.asb-modules : debug] *******************************
skipping: [localhost]

TASK [rhscl-postgresql-apb : Find pod we need to update] ***********************
skipping: [localhost]

TASK [rhscl-postgresql-apb : Find dc we will clean up] *************************
skipping: [localhost]

TASK [rhscl-postgresql-apb : Find deployment we will clean up] *****************

Comment 8 errata-xmlrpc 2018-07-30 19:12:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816

Note You need to log in before you can comment on or make changes to this bug.